-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy paththunderstorm-collector.sh
executable file
·169 lines (144 loc) · 4.56 KB
/
thunderstorm-collector.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
#!/bin/bash
#
# THOR Thunderstorm Bash Collector
# Florian Roth
# June 2021
VERSION="0.2.0"
# Settings ------------------------------------------------------------
# Log
LOGFILE="./thunderstorm.log"
LOG_TO_FILE=1
LOG_TO_SYSLOG=0 # Log to syslog is set to 'off' by default
LOG_TO_CMDLINE=1
# Thunderstorm Server
THUNDERSTORM_SERVER="ygdrasil.nextron"
USE_SSL=0
ASYNC_MODE=1
# Target selection
declare -a SCAN_FOLDERS=('/root' '/tmp' '/home' '/var' '/usr'); # folders to scan
MAX_AGE=14
MAX_FILE_SIZE=2000 # max file size to check in kilobyte, default 2 MB
# Debug
DEBUG=1
# Code ----------------------------------------------------------------
function timestamp {
date +%F_%T
}
function log {
local type="$1"
local message="$2"
local ts
ts=$(timestamp)
# Only report debug messages if mode is enabled
if [ "$type" == "debug" ] && [ $DEBUG -ne 1 ]; then
return 0
fi
# Exclude certain strings (false positives)
for ex_string in "${EXCLUDE_STRINGS[@]}";
do
# echo "Checking if $ex_string is in $message"
if [ "${message/$ex_string}" != "$message" ]; then
return 0
fi
done
# Remove line breaks
message=$(echo "$message" | tr -d '\r' | tr '\n' ' ')
# Remove prefix (e.g. [+])
if [[ "${message:0:1}" == "[" ]]; then
message_cleaned="${message:4:${#message}}"
else
message_cleaned="$message"
fi
# Log to file
if [[ $LOG_TO_FILE -eq 1 ]]; then
echo "$ts $type $message_cleaned" >> "$LOGFILE"
fi
# Log to syslog
if [[ $LOG_TO_SYSLOG -eq 1 ]]; then
logger -p "$SYSLOG_FACILITY.$type" "$(basename "$0"): $message_cleaned"
fi
# Log to command line
if [[ $LOG_TO_CMDLINE -eq 1 ]]; then
echo "$message" >&2
fi
}
function check_req
{
curl_avail=$(command -v curl)
if [[ -z $curl_avail ]]; then
log error "The 'curl' command can't be found but is needed"
exit 1
fi
}
# Program -------------------------------------------------------------
echo "=============================================================="
echo " ________ __ __ "
echo " /_ __/ / __ _____ ___/ /__ _______ / /____ ______ _ "
echo " / / / _ \/ // / _ \/ _ / -_) __(_-</ __/ _ \/ __/ ' \ "
echo " /_/ /_//_/\_,_/_//_/\_,_/\__/_/ /___/\__/\___/_/ /_/_/_/ "
echo " v$VERSION"
echo " "
echo " THOR Thunderstorm Collector for Linux/Unix"
echo " Florian Roth, September 2020"
echo "=============================================================="
# Root check
if [ "$(id -u)" != "0" ]; then
log error "This script should be run as root to have access to all files on disk" 1>&2
fi
echo "Writing log file to $LOGFILE ..."
log info "Started Thunderstorm Collector - Version $VERSION"
log info "Transmitting samples to $THUNDERSTORM_SERVER"
log info "Processing folders ${SCAN_FOLDERS[*]}"
log info "Only check files created / modified within $MAX_AGE days"
log info "Only process files smaller $MAX_FILE_SIZE KB"
# Check requirements
check_req
# Some presets
api_endpoint="check"
if [[ $ASYNC_MODE -eq 1 ]]; then
api_endpoint="checkAsync"
fi
scheme="http"
if [[ $USE_SSL -eq 1 ]]; then
scheme="https"
fi
# Loop over filesystem
for scandir in "${SCAN_FOLDERS[@]}";
do
find "$scandir" -type f -mtime -$MAX_AGE 2> /dev/null | while read -r file_path
do
if [ -f "${file_path}" ]; then
# Check Size
filesize=$(du -k "$file_path" | cut -f1)
if [ "${filesize}" -gt $MAX_FILE_SIZE ]; then
continue
fi
log debug "Submitting ${file_path} ..."
successful=0
for retry in {1..3}; do
# Submit sample
result=$(curl -s -X POST \
"$scheme://$THUNDERSTORM_SERVER:8080/api/$api_endpoint" \
--form "file=@${file_path};filename=${file_path}")
curl_exit=$?
if [ $curl_exit -ne 0 ]; then
log error "Upload failed with code $curl_exit"
sleep $((2 << retry))
continue
fi
# If 'reason' in result
if [ "${result/reason}" != "$result" ]; then
log error "$result"
sleep $((2 << retry))
continue
fi
successful=1
break
done
if [ $successful -ne 1 ]; then
log error "Could not upload ${file_path}"
fi
fi
done
done
exit 0